Closed mhristache closed 4 years ago
Hi, Not sure I understand correctly. If you are receiving encapsulated packets (assuming the encapsulation is pcap, not pcap-ng), there are several options:
parse_pcap_frame
directly on the data, however you'll have to handle the fragmentation (if any)LegacyPcapReader
), you'll have to create a struct providing the Read
trait. This structure would return a forged legacy pcap header on the first call, which is not too hard to create (see PcapHeader
). Most fields are fixed, but you have to know snaplen
. linktype
is not necessary in the header (it is only called when parsing data). If you use the serialize
feature, you can even create the struct and serialize it.Thanks for the help!
I got it working using the streaming API by creating a forged pcap header then chain it into the original data usin the Read::chain
method.
Hi
I am trying to build a packet sniffer server and I am receiving pcap lib Packets via TCP but without the pcap file header. Is there a way to parse these packets using pcap-parser, e.g. add a pcap file header on the server side before calling the pcap-parser? The datalink type is always the same so that should not be an issue.
Thank you